[Bro] Question on Bro efficiency and bonded interfaces running async traffic
espressobeanies at gmail.com
Mon Mar 13 12:55:09 PDT 2017
On Mon, Mar 13, 2017 at 3:46 PM, Seth Hall <seth at corelight.com> wrote:
> > On Mar 13, 2017, at 3:18 PM, Espresso Beanies <espressobeanies at gmail.com>
> > My Bro setup has two hard links, each running uplink and downlink
> traffic separately. Would it be more efficient for Bro to define each hard
> link in the node.cfg or do a soft-bond that merges both hard links into a
> virtual interface, that channels into Bro?
> You will need to merge the interfaces. You can’t monitor them separately
> because a Bro process needs to see both sides of a connection, but if you
> run with each interface on a different Bro process, each process will only
> see a single direction of traffic.
> If you merge/bond interfaces, it’s very possible that some of your
> connections will be messed up as well because there is no synchronization
> between how packets are received from the separate interfaces and you
> could receive traffic out of order. I typically recommend that people
> merge traffic in a switch (SPAN port) or through a packet broker because
> those will merge the packets from different interfaces correctly.
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro